Exploitation Techniques for Data-oriented Attacks with Existing and Potential Defense Approaches

Data-oriented attacks manipulate non-control data to alter a program’s benign behavior without violating its control-flow integrity. It has been shown that such attacks can cause significant damage even in the presence of control-flow defense mechanisms. However, these threats have not been adequately addressed. In this survey article, we first map data-oriented exploits, including Data-Oriented Programming (DOP) and Block-Oriented Programming (BOP) attacks, to their assumptions/requirements and attack capabilities. Then, we compare known defenses against these attacks, in terms of approach, detection capabilities, overhead, and compatibility. It is generally believed that control flows may not be useful for data-oriented security. However, data-oriented attacks (especially DOP attacks) may generate side effects on control-flow behaviors in multiple dimensions (i.e., incompatible branch behaviors and frequency anomalies). We also characterize control-flow anomalies caused by data-oriented attacks. In the end, we discuss challenges for building deployable data-oriented defenses and open research questions.

[1]  D. Yao,et al.  Deep Learning-Based Anomaly Detection in Cyber-Physical Systems: Progress and Opportunities , 2020, ACM Comput. Surv..

[2]  Lui Sha,et al.  Checking is Believing: Event-Aware Program Anomaly Detection in Cyber-Physical Systems , 2018, IEEE Transactions on Dependable and Secure Computing.

[3]  Xin-She Yang,et al.  Introduction to Algorithms , 2021, Nature-Inspired Optimization Algorithms.

[4]  Edward J. Schwartz,et al.  A Generic Technique for Automatically Finding Defense-Aware Code Reuse Attacks , 2020, CCS.

[5]  Michael Franz,et al.  CoDaRR: Continuous Data Space Randomization against Data-Only Attacks , 2020, AsiaCCS.

[6]  Aravind Prakash,et al.  Simplex: Repurposing Intel Memory Protection Extensions for Information Hiding , 2020, ArXiv.

[7]  Ya Xiao,et al.  Methodologies for Quantifying (Re-)randomization Security and Timing under JIT-ROP , 2020, CCS.

[8]  S. Jha,et al.  OAT: Attesting Operation Integrity of Embedded Devices , 2018, IEEE Symposium on Security and Privacy.

[9]  Kevin W. Hamlen,et al.  Binary Control-Flow Trimming , 2019, CCS.

[10]  Ahmad-Reza Sadeghi,et al.  HardScope: Hardening Embedded Systems Against Data-Oriented Attacks , 2019, 2019 56th ACM/IEEE Design Automation Conference (DAC).

[11]  Thorsten Holz,et al.  STEROIDS for DOPed Applications: A Compiler for Automated Data-Oriented Programming , 2019, 2019 IEEE European Symposium on Security and Privacy (EuroS&P).

[12]  Christof Fetzer,et al.  Intel MPX Explained: A Cross-layer Analysis of the Intel MPX System Stack , 2019, PERV.

[13]  Kui Wang,et al.  PAC it up: Towards Pointer Integrity using ARM Pointer Authentication , 2018, USENIX Security Symposium.

[14]  Per Larsen,et al.  SoK: Sanitizing for Security , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[15]  Sparsh Mittal A survey of techniques for dynamic branch prediction , 2018, Concurr. Comput. Pract. Exp..

[16]  William R. Harris,et al.  Enforcing Unique Code Target Property for Control-Flow Integrity , 2018, CCS.

[17]  Per Larsen,et al.  Hardware Assisted Randomization of Data , 2018, RAID.

[18]  Christof Fetzer,et al.  Intel MPX Explained , 2018, PERV.

[19]  Simha Sethumadhavan,et al.  Practical Memory Safety with REST , 2018, 2018 ACM/IEEE 45th Annual International Symposium on Computer Architecture (ISCA).

[20]  Chen Liu,et al.  Detecting Data Exploits Using Low-level Hardware Information: A Short Time Series Approach , 2018 .

[21]  Long Lu,et al.  Compiler-Assisted Code Randomization , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[22]  Trent Jaeger,et al.  Block Oriented Programming: Automating Data-Only Attacks , 2018, CCS.

[23]  Manos Antonakakis,et al.  Security Risks in Asynchronous Web Servers: When Performance Optimizations Amplify the Impact of Data-Oriented Attacks , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[24]  Long Cheng,et al.  Orpheus: Enforcing Cyber-Physical Execution Semantics to Defend Against Data-Oriented Attacks , 2017, ACSAC.

[25]  Salvatore J. Stolfo,et al.  Anomaly Detection as a Service: Challenges, Advances, and Opportunities , 2017, Anomaly Detection as a Service.

[26]  Naren Ramakrishnan,et al.  Long-Span Program Behavior Modeling and Attack Detection , 2017, ACM Trans. Priv. Secur..

[27]  Michalis Polychronakis,et al.  Revisiting Browser Security in the Modern Era: New Data-Only Attacks and Defenses , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[28]  Christof Fetzer,et al.  SGXBOUNDS: Memory Safety for Shielded Execution , 2017, EuroSys.

[29]  Trent Jaeger,et al.  GRIFFIN: Guarding Control Flows Using Intel Processor Trace , 2017, ASPLOS.

[30]  Mathias Payer,et al.  Control-Flow Integrity , 2017, ACM Comput. Surv..

[31]  Quan Chen,et al.  PrivWatcher: Non-bypassable Monitoring and Protection of Process Credentials from Memory Corruption Attacks , 2017, AsiaCCS.

[32]  Zhiqiang Lin,et al.  PT-CFI: Transparent Backward-Edge Control Flow Violation Detection Using Intel Processor Trace , 2017, CODASPY.

[33]  Ahmad-Reza Sadeghi,et al.  PT-Rand: Practical Mitigation of Data-only Attacks against Page Tables , 2017, NDSS.

[34]  Yutao Liu,et al.  Transparent and Efficient CFI Enforcement with Intel Processor Trace , 2017, 2017 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[35]  William R. Harris,et al.  Efficient Protection of Path-Sensitive Control Security , 2017, USENIX Security Symposium.

[36]  F. Piessens,et al.  Towards Automatic Compartmentalization of C Programs on Capability Machines , 2017 .

[37]  Roland H. C. Yap,et al.  Stack Bounds Protection with Low Fat Pointers , 2017, NDSS.

[38]  Junfeng Yang,et al.  Shuffler: Fast and Deployable Continuous Code Re-Randomization , 2016, OSDI.

[39]  Zhenkai Liang,et al.  "The Web/Local" Boundary Is Fuzzy: A Security Study of Chrome's Process-based Sandboxing , 2016, CCS.

[40]  Per Larsen,et al.  Selfrando: Securing the Tor Browser against De-anonymization Exploits , 2016, Proc. Priv. Enhancing Technol..

[41]  Chen Liu,et al.  Can Data-Only Exploits be Detected at Runtime Using Hardware Events?: A Case Study of the Heartbleed Vulnerability , 2016, HASP 2016.

[42]  Ahmad-Reza Sadeghi,et al.  C-FLAT: Control-Flow Attestation for Embedded Systems Software , 2016, CCS.

[43]  Zhenkai Liang,et al.  Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[44]  Yunheung Paek,et al.  HDFI: Hardware-Assisted Data-Flow Isolation , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[45]  Naren Ramakrishnan,et al.  Causality reasoning about network events for detecting stealthy malware activities , 2016, Comput. Secur..

[46]  Roland H. C. Yap,et al.  Heap bounds protection with low fat pointers , 2016, CC.

[47]  Yue Chen,et al.  Remix: On-demand Live Randomization , 2016, CODASPY.

[48]  Scott A. Carr,et al.  Control-Flow Integrity: Precision, Security, and Performance , 2016, 1602.04056.

[49]  Marsha Chechik,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 2016, Lecture Notes in Computer Science.

[50]  Hai Huang,et al.  Kernel Data Attack Is a Realistic Security Threat , 2015, SecureComm.

[51]  Wenke Lee,et al.  ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks , 2015, CCS.

[52]  Salvatore J. Stolfo,et al.  Heisenbyte: Thwarting Memory Disclosure Attacks using Destructive Code Reads , 2015, CCS.

[53]  William W. Streilein,et al.  Timely Rerandomization for Mitigating Memory Disclosures , 2015, CCS.

[54]  Naren Ramakrishnan,et al.  Unearthing Stealthy Program Attacks Buried in Extremely Long Execution Paths , 2015, CCS.

[55]  Fan Long,et al.  Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity , 2015, CCS.

[56]  Zhenkai Liang,et al.  Automatic Generation of Data-Oriented Exploits , 2015, USENIX Security Symposium.

[57]  David A. Wagner,et al.  Control-Flow Bending: On the Effectiveness of Control-Flow Integrity , 2015, USENIX Security Symposium.

[58]  Thomas R. Gross,et al.  Fine-Grained Control-Flow Integrity Through Binary Hardening , 2015, DIMVA.

[59]  Per Larsen,et al.  Readactor: Practical Code Randomization Resilient to Memory Disclosure , 2015, 2015 IEEE Symposium on Security and Privacy.

[60]  Peter G. Neumann,et al.  CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization , 2015, 2015 IEEE Symposium on Security and Privacy.

[61]  Stelios Sidiroglou,et al.  Missing the Point(er): On the Effectiveness of Code Pointer Integrity , 2015, 2015 IEEE Symposium on Security and Privacy.

[62]  Ahmad-Reza Sadeghi,et al.  Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming , 2015, NDSS.

[63]  Michael Backes,et al.  You Can Run but You Can't Read: Preventing Disclosure Exploits in Executable Code , 2014, CCS.

[64]  Jeff Seibert,et al.  Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code , 2014, CCS.

[65]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[66]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[67]  Per Larsen,et al.  SoK: Automated Software Diversity , 2014, 2014 IEEE Symposium on Security and Privacy.

[68]  Jonathan M. Smith,et al.  Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security , 2013, CCS.

[69]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[70]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[71]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[72]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[73]  Per Larsen,et al.  Profile-guided automated software diversity , 2013, Proceedings of the 2013 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).

[74]  Kevin W. Hamlen,et al.  Binary stirring: self-randomizing instruction addresses of legacy x86 binary code , 2012, CCS.

[75]  Cristiano Giuffrida,et al.  Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization , 2012, USENIX Security Symposium.

[76]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[77]  Jack W. Davidson,et al.  ILR: Where'd My Gadgets Go? , 2012, 2012 IEEE Symposium on Security and Privacy.

[78]  David Brumley,et al.  Unleashing Mayhem on Binary Code , 2012, 2012 IEEE Symposium on Security and Privacy.

[79]  Hovav Shacham,et al.  Return-Oriented Programming: Systems, Languages, and Applications , 2012, TSEC.

[80]  Xi Wang,et al.  Software fault isolation with API integrity and multi-principal modules , 2011, SOSP.

[81]  user surfaces,et al.  Data Execution Prevention , 2011 .

[82]  David Brumley,et al.  Q: Exploit Hardening Made Easy , 2011, USENIX Security Symposium.

[83]  David Walker,et al.  Modular Protections against Non-control Data Attacks , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[84]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[85]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[86]  Claude Castelluccia,et al.  Code injection attacks on harvard-architecture devices , 2008, CCS.

[87]  S. Bhatkar,et al.  Data Space Randomization , 2008, DIMVA.

[88]  Miguel Castro,et al.  Preventing Memory Error Exploits with WIT , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[89]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[90]  Milo M. K. Martin,et al.  Hardbound: architectural support for spatial safety of the C programming language , 2008, ASPLOS.

[91]  M. Castro,et al.  Data Randomization , 2008 .

[92]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[93]  Arati Baliga,et al.  Lurking in the Shadows: Identifying Systemic Threats to Kernel Data , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[94]  Peng Ning,et al.  Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[95]  Tao Zhang,et al.  Using Branch Correlation to Identify Infeasible Paths for Anomaly Detection , 2006, 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06).

[96]  Miguel Castro,et al.  Securing software by enforcing data-flow integrity , 2006, OSDI '06.

[97]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[98]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[99]  Susan Horwitz,et al.  Protecting C programs from attacks via invalid pointer dereferences , 2003, ESEC/FSE-11.

[100]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[101]  Andrew W. Moore,et al.  X-means: Extending K-means with Efficient Estimation of the Number of Clusters , 2000, ICML.

[102]  Sanjay J. Patel,et al.  An analysis of correlation and predictability: what makes two-level branch predictors work , 1998, Proceedings. 25th Annual International Symposium on Computer Architecture (Cat. No.98CB36235).

[103]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[104]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[105]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[106]  Elaine J. Weyuker,et al.  Selecting Software Test Data Using Data Flow Information , 1985, IEEE Transactions on Software Engineering.